Bug 1413596 - RFE: Enable MAC spoofing for SR-IOV virtual functions.
Summary: RFE: Enable MAC spoofing for SR-IOV virtual functions.
Status: NEW
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Laine Stump
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-16 13:23 UTC by Leon Goldberg
Modified: 2019-02-13 22:59 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Leon Goldberg 2017-01-16 13:23:15 UTC
Although it is possible to set MAC spoofing off for virtual
functions in virtio, it is currently impossible via libvirt's hostdev

This inhibits functionality that requires in-guest MAC alterations such as
having a virtual function be part of a bond or a bridge.

For example, if we're interested in setting MAC spoofing off in a
bridge interface, we add a 'no-mac-spoofing' filter tag:

<interface type='bridge'>
    <source bridge='br0'/>
    <mac address='00:16:3e:1a:b3:4a'/>
    <filter name ='no-mac-spoofing'/>
    <model type='virtio'/>

The default configuration sets MAC spoofing on, and it is configurable via
the filter tag. In a hostdev interface, however, MAC spoofing is disabled by default and is not configurable.

Similarly to the aforementioned bridge example, please consider adding a filter tag to allow MAC spoofing in a hostdev interface:

<interface type='hostdev' managed='yes'>
   <address type='pci' domain='0x0' bus='0x00' slot='0x07' function='0x0'/>
 <mac address='52:54:00:6d:90:02'>
 <filter/> # disable filters (implicitly allows mac spoofing)?

Comment 1 Laine Stump 2017-01-16 14:58:27 UTC
The <filter> element is only for configuring libvirt's nwfilter rules. Making a single config item have a secondary implied functionality has historically led to problems later, so if there is a config option for this, it should stand on its own.

Beyond that, is it really necessary to allow mac spoofing in order for bonding to work? Can't you just set the MAC address of the interface to the desired value in the libvirt config in the first place? (there is nothing in libvirt preventing multiple interfaces from having the same configured mac address)

Comment 2 Leon Goldberg 2017-01-17 14:25:15 UTC
I see. If so, indeed, perhaps some other suiting element then?

This is up to the guest to decide; I don't think enforcing similar MAC addresses as beyond a temporary solution is appropriate. 

Besides, I'm sure there are other scenarios enforcing similar MAC addresses won't work or is not relevant (bond consisting of more than 1 VF, bridge, etc)

Comment 3 Laine Stump 2017-01-19 18:00:02 UTC
My point is that you can set the MAC address to anything you like in the libvirt config, including setting two interfaces to the same MAC address. So does bonding require that the guest have the interface MAC address initially set to one particular MAC address, and then later at runtime changed to something else? Or can the MAC addresses of the two interfaces simply be set identically in the libvirt config?

Comment 4 Leon Goldberg 2017-01-23 19:37:06 UTC
We don't want to continuously police MAC addresses; we want the guest to be able to spoof them as per virtio's default. Bonding was one example where spoofing would be useful, but there are multiple others (in-guest bridge, etc).

Note You need to log in before you can comment on or make changes to this bug.